[Dshield] Veritas Backup Exec Windows Agent Remote File Access Exploit

Frank Knobbe frank at knobbe.us
Sat Aug 13 00:10:21 GMT 2005


On Fri, 2005-08-12 at 18:49 -0500, Frank Knobbe wrote:
>  I mean,
> if you are authenticated and authorized to BACKUP using the hard coded
> root account, aren't you also able to RESTORE data to the server?

Let me just answer myself. According to
http://www.ndmp.org/info/spec.shtml
there is a DATA_START_RECOVER request. So the exploit (which only uses
DATA_START_DUMP) could be easily rewritten to RESTORE files to the
vulnerable agent.

I leave the creation of an upload exploit script as an exercise to the
reader.

Better get patching before the pubstros are RESTORED onto the boxes!


Cheers,
Frank



-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050812/59579243/attachment.bin


More information about the list mailing list